(1) The Law Was Passed in Seven Days
In May 2017, AB 375 (California Consumer Privacy Act of 2018) (“CaCPA”) passed the Assembly only to be placed on inactive status in September 2017.
In the interim, San Francisco Bay area housing developer Alastair Mactaggart launched Californians for Consumer Privacy and qualified the CaCPA for the November 2018 ballot. As drafted, CaCPA had a provision that would only permit amendment if approved by 70 percent of each house of the legislature (and only if the amendments were ” consistent with and further the intent of” the CaCPA). The legislature reached an agreement with Mactaggart to pass a version of the CaCPA so long as he withdrew the initiative and in a period of seven days the CaCPA went from inactive to being signed by the Governor on June 28th.
As Santa Clara Law School Professor Eric Goldman noted1
The result is a sweeping, lengthy (10,000 words!), insanely complicated, and poorly drafted privacy regulation that will govern the world’s fifth largest economy. Needless to say, this rushed and non-inclusive process created a law with many defects, ranging from typos and drafting errors to terrible policy ideas.
(2) CaCPA Enumerated Rights
CaCPA explains that California law “has not kept pace” with the privacy implications surrounding the increased collection, use and protection of consumer information. “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information.”
As a result, the legislation states that it is seeking to further Californians’ Constitutional right to privacy
by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
(3) What is “Personal Information”
CaCPA’s obligations extend to “personal information” of a California resident, which it defines broadly to include “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act provides a list of examples of data sources that are personal information including personally identifiable information, IP address, browsing information, biometric and geolocation data etc., but the definition also includes inferences drawn from these sources.
(4) Who Does It Apply To?
The requirements of the CaCPA extend to a business that (a) collects, transfers or sell personal information of a California consumer and (b) either:
- Has annual gross revenue in excess of $25 million; or
- Purchases, receives, sells or shares the personal information of 50,000 or more “consumer, households or devices”; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
An IAPP analysis found that the first prong alone would apply to over 500,000 businesses.2 One commentator raised concerns about the second prong of the test, fearing that the 50,000 “consumer, households or devices” threshold may ensnare most online retailers and even bloggers just by the passive collection of IP addresses.3
- “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used” (with any additional uses requiring notice to the consumer);
- lists of the of the categories of personal information it has collected, sold or disclosed; and
- a description of the consumer’s rights under the Act including its right to opt-out, to request data deletion and how to request information on the data the business collected, disclosed or sold.
Businesses also must provide a clear link on their homepage titled, “Do Not Sell My Personal Information,” to a page that enables consumers to opt-out out of the sale of its personal information.
(6) Disclosure Requests and Opting Out
Businesses must make “two or more” methods for consumers, including a toll-free number and website, for consumers to exercise the disclosure rights under the Act. This includes requesting that a business that collects, transfers or sells their data to disclose to that consumer free of charge within forty-five days of a “verified” request:
the categories of personal information it has collected about that consumer;
the sources from which the personal information is collected;
the purpose for collecting or selling personal information;
the categories of third parties with whom the business shares personal information; and
the specific pieces of personal information it has collected about that consumer.
The consumer information provided must be in a “readily useable format” (i.e., data portability). The consumer may request that a business delete any personal information or opt-out of the further sale or transfer of such data (subject to exceptions such as if the data is needed to perform the service for the consumer).
CaCPA provides that businesses “shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title” by denying service or offering different services or prices based on the exercise of rights under the Act – except where it is “reasonably related to the value provided to the consumer by the consumer’s data.” How this is interpreted remains to be seen.
Businesses, however, may offer financial incentives to consumers for the use of their data on an opt-in basis.
(8) Consent for Minors
While CaCPA generally establishes an opt-out regime, that is not the case for consumers under the age of 16. Businesses may not sell the personal information of consumers under 17 years without the affirmative consent of the consumer if aged 13-16 or a parent or guardian if under 13.
Enforcement of the statute is generally by the California Attorney General who may recover up to $7,500 per intentional violation and $2,500 for an unintentional violation that is not cured within thirty (30) days of notice.
CaCPA provides for a limited private right of action to a consumer “whose nonencrypted or nonredacted personal information. . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” An injured consumer may recover $750 per incident but must give prior notice and an opportunity to cure to the business before filing suit. The consumer also must notify the California Attorney General within thirty days of filing suit, who may take over the action or order the consumer not to proceed with the action.
(10) CaCPA As a Moving Target
CaCPA goes into effect on January 1, 2020, and directs the California Attorney General to implement regulations on or before the effective date on a variety of items – including procedures for processing consumer requests. At the same time, CaCPA backers fully expect to enact clarifying amendments to the law either later this year or in 2019 – and industry is pushing to narrow the scope of the bill.4 As a result, businesses are being asked to comply with what is, in essence, a moving target.
Passage of CaCPA also has stirred debate in other state capitals and in Washington. Big Tech has been meeting with the Trump administration over a potential federal privacy bill that would likely preempt the California law; while former Obama administrations have suggested revisiting their proposed “Privacy Bill of Rights“.5
In 2003, Congress passed the CAN-SPAM Act less than 90-days after California attempted to ban spam and prior to the bill going into effect. Privacy, however, is a much more complex subject that would involve the jurisdiction of multiple committees in both houses making a quick consensus more difficult to achieve.
In a three-part series for the IAPP, Robert Gellman outlines the challenges of passing a U.S. privacy law and concludes:
It is apparent that there are many obstacles: substantive, procedural, and political. If everyone worked in good faith, it’s conceivable that something acceptable could emerge in a few years. However, I don’t think that there is enough consensus in the U.S. privacy world to have much hope right now. Maybe the dynamic will change as the EU moves to enforce the GDPR. Maybe not.
(11) What Should You Do?
Whether it is the EU’s GDPR or CCPA, businesses need to be ready for a potential new era of privacy scrutiny and should:
- begin to map and inventory the data they collect and how it is used and shared (this includes assessing the need for such data consistent with GDPR data minimization);
- determine operationally what steps they would need to take to respond to information requests under CaCPA; and
- consider creating separate websites for California users
See notes below; Professor Solove’s California Consumer Privacy Act resources page; Lydia de la Torre’s comparison of GDPR and CACPA; and the Assembly Committee On Privacy And Consumer Protection’s analysis of the CaCPA (immediately below)
1 Goldman, Eric, An Introduction to the California Consumer Privacy Act (CCPA) (July 9, 2018).
2 Rita Heimes & Sam Pfeifle, New California Privacy Law to Affect More Than Half A Million US Companies, IAPP (July 2, 2018).
3 Lothar Determann, Analysis: The California Consumer Privacy Act of 2018, IAPP (July 2, 2018).
Most companies operate websites and inevitably capture IP addresses. Notably, companies need to comply regardless of whether the website targeted businesses or individual customers in California given that the term “consumer” is defined to mean any “resident.” Even individual bloggers and relatively small businesses outside California may find it difficult to ensure that they do not receive personal information of more than 50,000 California resident visitors to their website annually, simply from having it be passively accessible from there, and, within California, most retailers, fitness studios, music venues and other businesses will meet this threshold.
4 See SB-1121 currently pending; Wendy Davis, California Lawmakers Urged To Reject Attempts To Weaken Privacy Law, Digital News Daily (Aug. 13, 2018); Eric Goldman, Recent Developments Regarding the California Consumer Privacy Act, Technology & Marketing Law Blog (Aug. 16, 2018).
5 Tony Romm, The Trump administration is talking to Facebook and Google about potential rules for online privacy, Washington Post (July 27, 2018); Cameron F. Kerry, Why protecting privacy is a losing game today—and how to change the game, Brookings Institute (July 12, 2018);